The “Science” underpinning Dam Safety Analysis · systematic technique such as fault tree...
59
The “Science” underpinning Dam Safety Analysis Some directions for industrially relevant scientific research Dr. Des Hartford
Transcript of The “Science” underpinning Dam Safety Analysis · systematic technique such as fault tree...
The “Science” underpinningDam Safety Analysis
Some directions for industriallyrelevant scientific research
Dr. Des Hartford
Internal erosion
SINKHOLE K
CORE
Reservoir
SinkholeEvent
TypicalPiezometerResponse
Res
ervo
irE
leva
tion
(m)
Time19921987 1999
1285
1260
WAC Bennett Dam
Tongue River Dam
Coursier Lake Dam
PART I - Philosophical andscientific considerations
One must first establish thephilosophical and scientific basis
in order to be practical
Attributes of good research• Collection of and respect for data• Careful observation and critical
experimentation• Complete approach ensuring different
aspects are compatible with each other• Scepticism about conclusions• Recognition that at research boundaries,
science is tentative knowledge
The “Practicability” issue• Difference between “Practical” and
“Practicable”– Not well understood
• Practicability pertains to “technically workable” - canbe done!
• Practical does too– but can be prone to personal opinions concerning
» ease of achievement (cost or difficulty)• “Practicable” includes “Practical”
– Research focus on “practicability”.
The “Generalisation” issue• General theories provide solutions to the full
spectrum of specific problems• Problem specific theories provide solutions
to specific problems• Research focus on “general theories” applicable to a
wide range of specific problems– not constrained by a “problem related” agenda
» but has a suite of “real problems” in the background
Paradox #1• Industry research is focused on developing
solutions to its problems• Science apparently focuses on “non-
industrially relevant” research– Hence often little industry support for scientific
research• difficult to prepare a business case for scientific
research– even though many “industrial problems” can not be solved
properly because the scientific basis has not beenestablished.
Why do research into whatever?To advance practices by improving methods
base job
? Possibly to justify practicesTo develop new knowledge
Establish the scientific basis of new methods• Takes as premise incompleteness of existing state of
knowledge and capability
To develop confidence in methods– Essential for legal defensibility
• Includes challenging the validity of practices
Plausible reasoning or “##*#!!”• Monitoring will improve the safety, if
preventative action is planned and takenwhen observations show that failure isimminent. Failure will now only occur when amechanism fails AND this is not observedOR there is insufficient time for an adequateintervention.
• Write your interpretation!– In a logically correct form
Revised logic of the “Experts”!!– Monitoring will improve the safety, if appropriate
preventative action is planned and taken whenobservations show that failure is imminent.
• Failure will now not occur when a failuremechanism develops AND this is observed,AND there is sufficient time for intervention.
• Compare with– Failure will now only occur when a mechanism fails AND
this is not observed OR there is insufficient time for anadequate intervention.
Logic of correct reasoning!
FAILURE MECHANISM
OBSERVED
FAILURE MECHANISM
NOT OBSERVED
FAILUREMECHANISM
OCCURS
INSUFFICIENT TIME TO
INTERVENE
SUFFICIENT TIME TO
INTERVENE
NOFAILURE
FAILURE
FAILURE
Defining “Research Focus”• Distinction between innovative science and
short term “industrially relevant” research.– “Industry should do its own research and a lot
more of it. The pursuit of knowledge inuniversities should not be allowed to suffersimply to make good industrial shortcomings”(George Porter, President of the Royal Society, 1985-1990).
• Dam safety analysis research must have a dualfocus - industry’s immediate needs and improving thescience of dam safety analysis
– must meet industry needs and explore solutions toproblems that industry does not yet recognise exist!
What do we mean by science?• Science is knowledge ascertained by
observation and experiment, criticallytested, systemised and brought undergeneral principles.– Engineering science is intended to provide
the reliable knowledge that underpins damsafety engineering practice.
• Need to clearly distinguish between– engineering science and– engineering practice
» and differences in the nature of research
Part II - Considerationsabout practicability
Search for generalised solutionsto the full spectra of specific
problems
Models - 2 types• Science models
– a means of representing the state of knowledgeor 'science' concerning a phenomenon
• It provides an interpretation in mathematical terms ofwhat is currently known or accepted as physicaldescriptions of the phenomenon.
• Predictive models– predictive models may, and usually do,
incorporate science models but go beyond themin having to deal with issues that cannot besubjected to the procedures of science.
Predictive Models– Predictive models represent a conjecture of what
might happen under stated assumptions.• Predictive models incorporate science sub-models
describing the progression to the defined failure state.– The hypothesised progression is identified by some
systematic technique such as fault tree analysis.» A predictive model is a tool of risk assessment and
incorporates assumptions and judgements about theeffects of particular practical circumstances. Suchassumptions and judgements may not be testable by themethods of science. Where judgement has to beexercised, there is a need for conformity to someprinciples.
Representativeness.• Predictive models are idealisations
incorporating approximations to reality.– The presentation of a predictive model needs to
be clear about:• what features of the practical situation are chosen to
be represented and why?• what features are judged not to need representation
and why?• what features cannot be represented and why?
– Transparency is key to quality assessment to enableindependent judgements to be made.
Physics of dam performance• Dam behaviour is necessarily determined by
the laws of physics.– Should the performance of dams be described
by science models or predictive (Type A)models?
• What are the reasons behind the answer to this keyquestion?
Qualifying data• Science does not accept data at face value
– Data must be collected in terms of acceptednorms and must “qualify” as acceptable
• Field measurements– never questioned when things “look right”– often doubted when things “look wrong”
» but knowing “right” from “wrong” is always uncertain• Case history data
– not always right» failure process often obliterates essential evidence!
Mafeteng Dam Failure on firstfilling, 1988
Dam failed in spillway area
‘nominally’ reinforced thin slabvoid behind ogee weir
Not internal erosion failure asreported and then relied on inmethod to estimate probability offailure
Qualifying ‘experts’• Experts should have
– substantive (subject matter) expertise• extensive experience in dealing successfully with the
phenomenon– normative expertise
• be well calibrated– have a proven track record in successfully predicting the
outcome of future investigations or events
Demonstrating judgement
Judgement Opinion
Expectation
Dataand
Facts
PART III
DAM SAFETY INTERESTGROUP RESEARCH
Model of a Physical System
upstream shell downstream shellrip rap rip rap
corefilterfilter
System Model
Prob
abilit
y of
failu
re
Annualizedinitiating
event
Load
Fragilitycurve
Annualizedinitiating
event
EventTree
What is an Event Tree
• Model of a physical system?– (e.g., a model of a particular dam).
• Statement about joint probabilities?– (e.g., a model of the sample space of random
variables).• Accounting scheme for information and
beliefs?– (e.g., a representation of a belief structure).
Accounting scheme forinformation and beliefs
γInitiating Event
Success State
Failure State
Success State
Success State
Failure State
Failure State
Initiating Event System 1 System 2 AccidentSequences
(I)
(S1)
(S2)
(F2)
(F1)
(S2)
(F2)
(IS1S2)
(IS1F2)
(IF1S2)
(IF1F2)
States of Nature
Leafα4, β1,γ1
βα
Logic Tree Event Tree
Flood Levee Example
Levee
Floodway sand boil
possible sand lens
flow path through lens
Potential failure surface
river
sta
ge (w
ater
hei
ght)
Flood Levee ExampleExtremeRainfall
PeakDischarge
Q
RiverStage
H
FloodDuration
T
Piping
Levee
Floodway sand boil
SandStringers
Exist
StaticStrengthFailure
PorePressure
Loss ofContainment
Overtopping
WeakSoilFill
Influence Diagram
Internal Erosion
gradient exists erodible soil
flaw core erodes
filterinadequate
internal erosion failure
porepressure
*
+
*
HighPool
FlawExists
CoreErosionInitiates
PorePressure
PipingFailure
FilterInadequate
PressureGradient in
Shell
ErodibleFIll orSoil
Flaw PipingStarts
TunnelForms BreachExit
Forms
Internal Erosion
filterinadequate
coreerodes
no coreerosion
gradientexists
nogradient
erodiblesoil
non-erodible
failureby piping
nofailure
filterOK
highgradient
no highgradient
highpool
flawexists
noflaw
gradientexists
nogradient
erodiblesoil
non-erodible
failureby piping
nofailure
Assigning Probabilities toBranches
Structuringevent tree
Modelingevents
Quantifyingprobabilities
Separatinguncertainties
Assigning Probabilities toBranches• Statistical estimates• Reliability (probability) modelling• Expert judgement
Flood Event
Gate OK
Gate Fails
Not Overtopped
Not Overtopped
Dam Overtopped
Dam Overtopped
(I)
(S1)
(S2)
(F2)
(F1)
(S2)
(F2)
(IS1S2)
(IS1F2)
(IF1S2)
(IF1F2)
Fault TreeGate ModelPart III Section 3.3.1,
Essential Elements ofProbability
Many Issues in AssigningProbabilities
• Complexity of event structure.– Separation of natural variability and
knowledge uncertainty.– Dependencies among branch probabilities.
• Causal• Probabilistic• Stochastic• Statistical
– Model uncertainty.– Discretization.
Rainfall Strength FailureDischarge Stage Duration
parent
NODEchild
sibling branchcousin branch
cousin branch
Dr. Lombardi’s observation– The result of the risks analysis for dams sounds
more likely a "semi-scientific, semi-subjectively estimated theoretical index to beused to compare different designs or differentdams in order to evaluate the likelihood oftheir margin of security, and to rank them inorder to optimise the allocation anddistribution of resources between variousrequirements".• Because of the political and social lack of
understanding of this kind of problems and possiblemisuses, the term "risk" should be avoided.
PART IV: What to do in theinterim
The practicability of riskmanagement
Risk regulation•• “It is the nature of risk that, frequently,“It is the nature of risk that, frequently,
those who create risk do not bear itsthose who create risk do not bear itsconsequences nor its wider costs. So theconsequences nor its wider costs. So themarket does not function properly as amarket does not function properly as adistributive mechanism. The State mustdistributive mechanism. The State mustintervene to regulate risk.”intervene to regulate risk.” (Bacon, 1999)(Bacon, 1999)
“Industry, is required to assess the risks it“Industry, is required to assess the risks itcreates and take action proportionate to thosecreates and take action proportionate to thoserisks to reduce them to a level which is as lowrisks to reduce them to a level which is as lowas reasonably practicable.as reasonably practicable.The overall aim must be to keep accidents andThe overall aim must be to keep accidents andill health to a minimum”ill health to a minimum”
Safety Case• Basis for judging the acceptability of the
safety of dams whose design andconstruction are not in keeping withmodern practices.• Justifies incurring risk at a particular level;
• Costs of further risk reduction grosslydisproportionate to risk reduction benefits
• Demonstrates• “Trades-offs” between costs and benefits are
appropriate;• The responses to risk are “proportionate” to the
degree of risk.
FLOOD DATA
10-3
10-2
10-1
10-4
10-5
10-6Ann
ual E
xcee
danc
e Fr
eque
ncy
LoadIFF LoadPMF
Characteristics ofPMF
Characteristics ofIFF
Q
The idea of the “ImminentFailure Flood”
DAM PERFORMANCE DATA
QPseu
do P
f
0
1
Knowledge(epistemic)uncertaintyaround loadingconditions atwhich the designbasis is exceededUncertainty in
Performance atIFF
Q PMF
Uncertainty inPerformance at
PMF
EXISTING DESIGN"IFF"
"DESIRABLE"STANDARDS-
BASED DESIGN
1st ESTIMATE OFPROBABILITY OF FAILURE
10-3
10-2
10-1
10-4
10-5
10-6
Characteristicsof PMF
Characteristicsof IFF
Pseu
doP f
0
1
QQIFF QPMF
Basis for discussion - Risk to‘Individuals’NOTE: HSE presents thisfigure without numbers -this reinforces HSE’s viewthat tolerability of riskshould be considered as a‘value judgement’.
T O L E R AB L E r e g i o n : r i s kcont ro l measures must beintroduced to drive the residualr i s k t o w a r d s t h e b r o a d l yacceptable region.
BROADLY ACCEPTABLEregion: res idual r iskinsignificant
U N A C C E P T A B L Er e g i o n : r i s k s o n l yj u s t i f i e d u n d e re x t r a o r d i n a r ycircumstances
CHARACTERISING THETOLERABILITY OF THE RISK
UNACCEPTABLEREGION
TOLERABLEREGION
10-3
10-2
10-1
10-4
10-5
10-6
Characteristicsof IFF
Characteristicsof PMF
Pseu
doP f
0
1
QQIFF QPMF
Proposed Limitof Tolerability
“Conservative” Estimate ofthe Risk to the Individual
Challenges• Not as straightforward as it might
appear– Increasing evidence of problems with
“contemporary” risk assessments for dams• Lack of scientific basis• Proposed approaches generally not calibrated
– Increasing evidence of unreliability of quantificationof subjective opinions of possibilities
• Internal erosion is particularly problematic– Case history data often questionable– Valid statistical inferences from case history data for
individual dams not feasible
A regulator’s viewMiss J. Bacon, Miss J. Bacon, Director General of theHSE commenting on the remark by Dr.Dykes that
‘Engineering is the art of moulding materials‘Engineering is the art of moulding materialswe do not understand into shapes we cannotwe do not understand into shapes we cannotprecisely analyse, so as to withstand forces weprecisely analyse, so as to withstand forces wecannot really assess, in such a way that thecannot really assess, in such a way that thecommunity at large has no reason to suspectcommunity at large has no reason to suspectthe extent of our ignorance’the extent of our ignorance’
pointed out that “20 years on, such black boxpointed out that “20 years on, such black boxmysticism in dealing with sources of risk is nomysticism in dealing with sources of risk is nolonger viable. The credibility of risk prevention andlonger viable. The credibility of risk prevention andrisk control is at stake”risk control is at stake”
PART V: Life Safety
Virtual reality simulation of damemergencies
Historic Data• Sources of data• Uncertainty in key parameters
– Accuracy of case history record• Population at risk
– temporal and spatial uncertainties• Nature of flooding
– Depths, velocities, destructiveness• Behaviour of people
Uncertainties in Population atRisk
0
5
10
15
20
25
08:00 - 17:00(w)
17:00 - 22:00(w)
22:00 - 08:00(w)
10:00 - 20:00(w/e)
20:00 - 10:00(w/e)
Uncertainty in"Representative PAR"
Time of Day/Week
Rep
rese
ntat
ive
Popu
latio
n at
Ris
k
Multiplicity of Outcomes
PopulationAffected
DamBreach
Representative PAR = 4,675
ReportedLoss of Life
1,372
Possible decision
Possible chance
Actual decision
Actual chance realisation
"Actual" but uncertain sequence of events that led to thereproted loss of life
RealisableLoss of Life
Estimateds meanLoss of Life
1,372
Probabilistic Representation ofCase History Data
0Total
PopulationPopulation Affected byFlood Waters (PA|F)
4,675
ReportedLoss of Life
1,372
Uniform (uninformed) probabilitydistribution. 1/(PA|F)
Dynamics of the “PeoplesWorld”
22
2166
1929352535
4,5564,6754,2093,9253,8762,5642,9972,8482,6722,789
Repres-entative
PAR 8am - 5pm 5pm - 10pm10pm - 8am10am - 8pm 8pm - 10am
Weekdays
Weekends40JAN1 - MAR 31
RepresentativeReservoirLevel (m)
Time ofYear
Time ofWeek Day
8am - 5pm 5pm - 10pm10pm - 8am10am - 8pm 8pm - 10am
Weekdays
Weekends60APRIL 1 - JUN30
8am - 5pm 5pm - 10pm10pm - 8am10am - 8pm 8pm - 10am
Weekdays
Weekends80JUL1 - SEPT 30
8am - 5pm 5pm - 10pm10pm - 8am10am - 8pm 8pm - 10am
Weekdays
Weekends75OCT 1 - DEC31
Virtual reality modelling ofsocietal risk
PAR LOL
Weekdays425JAN1 - APR31
Reservoir’sLevel (m)
Time ofYear
Time ofWeek Day
Weekdays430MAY1 - JUN30
Weekends
440JUL1 - AUG31
435SEP1 - DEC31
Prob.##E-10
# ##E-10# ##E-10# ##E-10# ##E-10
#####
#
##E-10### ##E-10### ##E-10### ##E-10### ##E-10
###########
##
##E-10#,### ##E-10#,### ##E-10#,### ##E-10#,### ##E-10
#,###############
###
##E-10#,### ##E-10#,### ##E-10#,### ##E-10#,### ##E-10
#,###############
##
Weekends
Weekends
Weekdays
Weekends
Weekdays
8am - 5pm 5pm - 10pm10pm - 8am10am - 8pm 8pm - 10am
8am - 5pm 5pm - 10pm10pm - 8am10am - 8pm 8pm - 10am
8am - 5pm 5pm - 10pm10pm - 8am10am - 8pm 8pm - 10am
8am - 5pm 5pm - 10pm10pm - 8am10am - 8pm 8pm - 10am
PART IV: Other issues
The problem of piping risk
Internal erosion risks• The secret to the
problem of analysinginternal erosion risksfor individual damsmight be hidden in thetail of the fragilitycurve.– It won’t be hidden in the
historic frequency ofdam failures
Prob
abili
ty o
fFa
ilure
Pf
0
1
Suggested form of thefragility curve under
"normal" loadingconditions
Probability offailure by
piping
• Tongue river dam wasevaluated as “betterthan average” for staticfailure modes in 1986– Probability of failure (by
historic failure ratemethod andengineering judgement)was declared to be5.4x10-5/year
12 ft diameter, 50 ft long hole
3
Slice 3 (770 mm) in Filter
